Our Corporate Overlords, Privacy

Lessons in Workplace Privacy: Sony’s Emails Could Easily Have Embarrassed Them Without Hacking

I’m fascinated by the hand-wringing and disbelief that accompanied the recent hack of Sony’s network, and particularly about the disclosure of embarrassing internal emails. Most of the commentary regarding the Sony hack has concerned either the salacious internal gossip that was revealed or the potential suppression of a mediocre movie whose plot may have been a catalyst for the hack, along with ongoing analysis of the security challenges for corporate networks in general. Yet, there has been little discussion of the “vulnerable-by-design” nature of email and the purposeful weakening of any expectation of privacy in workplace communications. Even if Sony’s leadership had responded more adroitly, and its technical staff had been able to rebuff the massive attack on their network, Sony’s email was already a potential weak point in the defense of sensitive information before any extortionist hackers got involved.

Consider, first, that email was designed in a more innocent age and traces its roots back to a time before the World Wide Web and the Internet as we know it today. An example of the limitations of the original design is the ease with which a spammer or phisher can “spoof” a legitimate email address, which basically involves swapping one address for another with about as much fuss as copy/pasting a sentence in Word. Just like revelations in recent years about the security weaknesses of the domain name system (DNS), there are venerable, fundamental systems operating on the internet that are nearly unpatchable and supremely vulnerable to the corruption and malfeasance of the modern age.

But there is more to the story of email’s vulnerability to disclosure than its technical limitations. We have actually chosen to make email particularly insecure, particularly in the workplace. Numerous times, employers have gone to court and consistently won cases upholding their right to read and monitor employee email without any specific cause or provocation. In addition to lower court rulings, a Supreme Court decision makes the employer’s right to monitor employee communications pretty clear. There have even been cases of employers seeking to legitimize the monitoring of non-work emails of their employees, and sometimes winning those too. Email privacy stands starkly apart from the the sacred trust conferred on a sealed letter headed to the post office. The grim acceptance of email content (and other electronic text) occupying some uniquely not-private status has been the norm for a very long time. Sony–its executives in particular–relied on an extremely untrustworthy medium to make snarky, even offensive comments about actors, projects, and President Obama, but they really should have known better. Unless we’re willing to wage a righteous fight to enshrine email, along with other workplace communications, with the same legitimacy enjoyed by the written (and mailed) word, we all need to grow up right now and stop pretending we can freely dish about our coworkers, clients, bosses, and other important people over email at work without repercussions. Let the Sony email hack serve as an eye-opening reminder to us all.

While we’re on the topic of workplace privacy intrusions, it bears briefly examining others to suggest that there is a progressive erosion of workplace privacy and ever-expanding culture of worker surveillance. If you work in a modern office, perhaps you’ve heard of “presence,” which involves using cues like a colored square in an email program to indicate your engagement with work. Maybe it’s green whenever you’re logged in and using your computer actively, red when you’re away or “busy,” and some other color for when all the system knows is that you’ve stopped typing–presumably to indicate that you might have stepped away or you might be talking directly to a colleague or you might be daydreaming. You’re forced to expose the moments that you dare to stop typing or clicking at your terminal like a good robot, even if you have otherwise satisfied the definitions of “present.” Newer phone systems, through integration with calendaring and messaging systems, helpfully supplement all this surveillance in the name of workplace efficiency and visibility. All in all, each generation of office technology seeks to inform others more and more about our every utterance and inclination.

Given such a workplace climate, should the staff at Sony really have had any expectation that their inner thoughts and most tasteless humor would not be made pubic someday? It’s not enough to cluck our tongues reciting abstractions about electronic privacy, particularly in the business world, being so shockingly vulnerable due to the efforts of hackers and other bad actors. In the case of workplace email, a culture of accessibility, disclosure, and exposure is built right in.

An in-depth NYT overview of the Sony hack can be found here.

Our Corporate Overlords, Privacy

When Copyright Met Privacy

As I’ve mentioned in an earlier post, I have broken copyright law and probably will do so again. I’ve made copies of books and articles–sometimes using the crude tools of the late 20th century (aka: the copy machine), and other times using far-easier tools like the “right click.” I’ve also copied “records” onto cassette tapes, burned CDs from store-bought ones, and received dozens of hours of music on flash drives from friends. Add to that the number of times I’ve grabbed an image from a website to use in a presentation of some sort. I know that these things are technically no-nos, but I don’t lose much sleep over them because my “piracy” is incredibly small, benefits only me, and doesn’t prevent me from spending a significant part of my income consuming art of every kind. If I were to stop “infringing” on copyrights tomorrow, I would likely spend the exact same amount each year on music, books, tickets to performances, and other arts products.

For most of my life, it has been nearly impossible for record labels and book publishers to detect my acts of copying, which is perhaps why they haven’t lost much sleep over it either (except while targeting technologies, like the VCR, the DAT machine and digital mini disks, RIP). They also haven’t seemed too concerned about used bookstores and the second-hand bin in record stores (for all that remain of those businesses), even though every sale of used music/book media could arguably be said to be one less of new media, with the profits of those sales not returning to the originators of the work or their publishers.

(I have to pause here to mention that I do believe in copyright. I believe in the validity and purpose of intellectual property. Artists and creators deserve to get paid and should be able to pursue violations of their copyrights when it is appropriate, and when that pursuit is not unduly elevated over other valued rights, and especially when the rights-violation is egregious. That said, there have to be limits on what any rights-holder should be allowed to do in pursuit of the protection of their stake. This blog should never be construed to be some libertarian screed against intellectual property rights, or an apologia for ruthless entrepreneurs who happily dismiss well-designed business models (and the people they feed) in the self-serving name of “innovation” and something chimerical, though interesting, called the “sharing economy.”)

The major rights-holders are now very motivated to prevent me and you from making copies of music and books and movies and so on. This has very little to do with the interests of working artists, but more to do with the technical ease with which we can now copy things, and also with the myriad ways that such copying can be observed and tracked like never before. The industry is also inventing new ways to control resale and personal sharing, and this is very novel. For example, books that you buy for a Kindle can’t be handed off to someone else. You can just barely “loan” a Kindle book to someone, but the terms suck. The enormous companies that control the majority of copyrights and eBook publishing are finding new ways to follow you into the formerly private spaces of your library and music collection–your home–to monitor and modify how you experience the creative works you may or may not have directly paid for.

I don’t blame them for wanting to do this: they are corporations, which are predatory organisms whose evolutionary mandate is to consume every ounce of profit that can possibly be consumed. But I can object to how they go about it. A feature of sharing, reselling and copying of books and music that we previously took for granted was that it was largely undetectable–it took place in the sanctum of your homes, your living rooms. Places, it seems, that are no longer truly private. Many “infringing” acts still are undetectable, as they should be. Just like historically unregulated acts like reselling a painting without paying a fee to the painter (or his publisher) or donating a book to your library book sale. With the advent of new ways to consume media, like the Kindle and iTunes, and due to the logging and tracking technologies embedded in internet and mobile device use, it has become very easy to detect and control all sorts of previously unrestrained activities over creative works, and rightsholders are very interested in doing just that.

Consider this: During a major lawsuit against YouTube’s parent company, Google, by Viacom, who sought to collect damages from YouTube claiming they were illegally profiting from hosting copyrighted content, Viacom won the right to view YouTube’s website logs revealing information about every user, every viewer, and every video on the site. Although they eventually conceded to anonymizing the user data, we know that anonymization doesn’t really work, and that evidence of my guilty-pleasure binge of watching old Journey videos (at work no less, identifiable by my IP address for sure) some years ago was handed over to someone without my assent. This may seem like a small thing, except that this really is the thin end of the wedge. Privacy protections for what we do with our surfing habits are already tremendously weak. Rights-holding corporations are going to exploit that, and their lobbying power is very strong. There is something very fucked up about my casual video viewing habits being scooped up and entered into evidence as part of a lawsuit that had nothing to do with me. And it really could have gone much farther:  Viacom specifically sought to view all of the videos on YouTube marked “private” by their owners. While that request wasn’t granted, I think it could have easily gone the other way. Do we own those “private” videos on YouTube? Should we have an expectation of privacy over our emotional outpourings, love-letters, and who-knows-what that falls into the category of a private YouTube video? Maybe, maybe not. Either way, the Viacoms of the world do not care. If they can demonstrate that our privacy rights are not as important as their copyrights, our already tattered privacy protections in the electronic worlds will be further eroded. Free speech, and even historical expectations of “ownership” are unimportant. What matters is that additional profits can be made or protected and all else is frivolous.

In the same way, and using the same logic that Amazon uses to control how we use eBooks, or that Apple controls how we use mp3s, or how media files are increasingly encoded with special signatures that govern whether or not or where they can be used, we should expect that, wherever possible, the industry is also watching our use, or could be forced to reveal that use to other interested parties from time to time, and that increasingly, what we do in our homes, with our art collections will no longer be our own damn business.

Our Corporate Overlords, Technology and The Law

Copyright Shaming Won’t Work

I’ve been reading Cory Doctorow’s latest book: Information Doesn’t Want to Be Free and it’s a good read. There is a lot of good stuff in here, even if I don’t exactly agree with his insistence that the world is as good as ever for artists who want to create work and get paid for it, despite the abundance of new ways to share that work online. Doctorow does offer a fresh perspective to the “copyfight” and his foundational arguments are compelling.

Including this one: shaming and prosecuting people for copying digital artworks without permission is futile and it’s mean. I’m not talking about people who are making money from ripping and reselling exabytes of digital art. (I refuse to resort to the stark and depressing term “content” to describe what humans make to express themselves.) I’m talking about the threats and actions being taken against individuals who acquire media from unauthorized places or in unauthorized ways for their own use, and who share it with friends, which is what most “piracy” is. Don’t get me wrong, I am very concerned about artists getting paid. I tried to making living as an artist for many years and I know many people who do it now. I want them to get paid for their work and I struggle with how complicated it has gotten for that to happen, but this is nothing new. Being a professional artist has always been very very hard. I also think that the companies that publish and distribute creative work deserve to get paid. But the problem we’re facing is not simply that a bunch of people are sitting at home copying files and thereby negatively impacting the incomes of artists and their enablers, it’s the entire ecosystem of arts and entertainment that has changed radically, and the villains in the highway robbery known as the “entertainment business” are still the same villains as 20 years ago–the major record labels, the movie studios, and, as Doctorow points out, the newly powerful “intermediaries” like Apple and Amazon. Working adversarily at times, and in concert at others, “the industry” has reimagined important parts of the arts business model in ingenious and artist-cheating ways that offer few, if any, additional benefits to “honest” consumers. While reinventing the business, the industry has gone to astonishing lengths to create new crimes and to increase the seriousness of old ones, and their motivations have virtually nothing to do with artists. It’s unfortunate that most working artists have to labor under the overbearing advocacy of the arts and entertainment industry, because artists still do have rights to assert. It’s just not clear that they would choose to assert them the way Sony and Universal and Amazon do.

I have copied music and movies. Lots of them. So have you I imagine. In the prime of my music-making and consuming life in the 1980s, 90s and early 2000s, I inhaled new music. I bought a great deal of music, but I also made cassette tapes and burned CDs of other people’s records, tapes and CDs. I watched entire seasons of The Sopranos on VHS tapes lovingly mailed by a girlfriend’s mom. These things were and still are illegal and I had some vague understanding that this might be “wrong,” but I didn’t care. Why? Because I was still paying good money for the stuff all the time. I was (and still am) supporting artists in myriad ways, and a lot of people still do, albeit in new ways that may not be tabulated as “units” like the old days. A key difference has transpired in the relationship between consumers and creative products. In the days when most media arrived in some sort of package, I felt I had complete ownership rights over what I bought. Total control of it once it was in my hands. The emerging business model now is “licensing.” You pay to use some intangible media, but you can’t do anything else (legally) with it, like share it with your spouse or friends. This is a significant paradigm shift for consumers who have been passing around books for hundreds of years, and recorded media for over a century. This radical shift how creative works are bought and paid for–especially the new limits inherent in the deal–is totally frustrating for people who just want to buy a record and then lend to friends. The business model of “use it for a moment and it’s gone” wasn’t built for us, and it pisses us off and makes us fairly sanguine about breaking the rules so that it does work for us. This is exacerbated by the fact that the same technology that makes media increasingly intangible, also makes it much easier to share. This is not the fault of the sharers, and the industry has also benefited and found lots of new ways to make money from the same intangibility. Copying files remains very easy to do, and since it’s easy, we’re all going to use the objects we have at our disposal because that’s what free, imaginative people do.They don’t wring their hands and recite honor codes handed down by corporations when they want to hear a song. That’s why I owned a tape-to-tape deck in the 1980s and used it to copy music. Trying to convince people not to use the tools in front of them is simply untenable. Making us all outlaws over it is a Kafkaesque absurdity.

Here is a scenario: My wife Sarah and I take a trip together and bring our Kindles, each loaded up with four books. Sarah finishes a book and says “you’ve got to read this.” I say “great, I just finished my book. Give me yours.” The problem is that its stuck on her Kindle and she wants to read one of her other books. She’s not much interested in the rest of mine. Here is where the trouble starts: I just want to borrow a fucking book. I don’t want to manage user accounts or visit an Amazon website to arrange a 14 day loan, or whatever laughably paltry solution they offer. If, at that moment, someone handed me a little box that could make the two Kindles share books, but it ran an illegal program and using it violated some non-negotiable terms of service I was forced to agree to in order to have any technology in my hands at all, I would very likely say “fuck it” and “yes please.” In one form or another, this is what is happening everywhere, except that it’s a lot simpler to copy using the Internet, and it’s not going to get any harder. Making it a crime is not the solution.

This is a rant that does not offer solutions to the bottom-line challenges for artists, and I know that. There are serious problems with the business of being a working artist in the 21st century and file-sharing does play a role. But it’s technically infeasible to stop people from sharing media files, and the sharing is as old as the means to record and preserve the work. It’s incredibly easy to right-click and choose “save,” which is why it feels like, at worst, a “thought crime” and not a real crime at all. No amount of shaming is going to stop that, and prosecuting people only demonstrates a very scary sort of corporate power that we are seeing more and more throughout society. There are other ways to get people to pay for art, and a lot of that reward the artist directly rather than through huge entertainment corporations. Live performance, pay-what-you-will schemes, merchandising, etc. These aren’t optimal money-makers for all creative artists, but it works for some artists, and arguably has given rise to new types of creativity. Whether or not the new deal rescues art-as-we-knew-it is an open question, but I don’t think we can continue to rely on the arts-business models of the 1950s and 60s. It was a good time, but things have changed.

Power and Privilege, Privacy

Privacy and Privilege (first of many)

I have been thinking a lot about how privacy intersects with privilege, meaning, what one’s wealth and position mean in a surveilled world. A couple of recent talks in Seattle by Cory Doctorow, in which he alluded to the connection between privacy and privilege, reminded me that I can’t think of anyone else who has publicly addressed the issue–even within information ethics circles. I think it’s time we started addressing it. Setting aside, for now, epistemological and normative arguments about whether or not–or how much–we should be concerned about the ongoing diminishment of personal privacy by both the state and the private sector, I think it can safely be argued that privacy does have value to most people. Since the revelations of massive NSA data-collection by Edward Snowden, changes in attitudes towards data privacy are beginning to emerge. People using digital gadgets and systems do cherish their privacy, even if they don’t exactly rend their clothes or take to the streets in response to losing it. Even those who claim to eschew the value of privacy still demonstrate an attachment to it, as with Mark “privacy is an evolving concept” Zuckerberg and news of his purchase of the houses surrounding his in order to preserve his privileged isolation from the masses. As in the physical world, it’s hard to imagine that those with the power to attain more privacy will not seek to attain it in the digital realm.

We can easily point to ways in which privacy loss is already experienced more acutely by marginalized and poor people. Food stamp recipients (no longer using coupons, but instead trackable payment cards) reveal their grocery lists whenever they shop so that they can be prevented from purchasing banned items like alcohol, while those receiving corporate welfare are not prevented from buying alcohol, vacations, governments, etc. Low-income victims of domestic violence must reveal intimate facts of their lives to the state in order to gain a measure of protection while a wealthy victim might avoid this using paid legal counsel, bodyguards, self-imposed protective-custody at a resort, etc. Finance companies have recently begun using remote ignition locks to disable cars whose owners get behind on payments. The addition of such devices is an unlikely requirement for Lexus buyers, even with debt obligations.

Closer to home I had an experience that revealed the limits of my own privilege where privacy was concerned. I recently renegotiated my auto-insurance and, due to an unfortunate mishap involving a rental car, a primitive road, and a tree, my initial quote shot up hundreds of dollars. However, I was offered the option to cut that increase in half in exchange for attaching a device to the data port of my car that logged and transmitted information about my driving habits. The system, called “Rewind,” tracked and scored me by rates of acceleration and braking, and also by the time of day of my trips (late night driving was a demerit). While my driving destinations weren’t part of my scorecard, that information was also collected and I could view it on their website. After 6 months of surveillance and a sufficient amount of driving acts that met this company’s standards, my rate increase was reduced as promised. Had I been wealthier, there are many ways I could have avoided that surveillance. I might have chosen full-coverage on the rental car, for a start, which would have made the rental-car accident a non-issue for my insurance carrier. I could have paid someone to drive a car safely on my behalf. I also could have said “fuck it” and chosen to pay a higher insurance rate rather than agree to surveillance. I was surveilled precisely because I was unable/unwilling to pay to opt out. We see an increasing number of these “choices” offered to us, from the grocery store discount card to that “free” webmail account to the use of “free” mobile apps that collect info about our travels an habits. An increasing number of desirable services exchange surveillance for the opportunity to save money or use unpaid services. As Michel Foucault pointed out in “Discipline and Punish,” surveillance is a form of discipline and an exercise of power. My insurance carrier’s “option” for me to accept voluntary surveillance in exchange for a rate reduction is a nakedly disciplinary act, and one that I was subjected to because I couldn’t bear to pay the extra freight.

However, it’s not as if there are currently all that many ways for the more privileged to become invisible to the web of surveillance that follows us through the public square, across the thresholds of our homes, and into places that we once believed were entirely walled-off from the rest of humanity. In addition to making a lot of the same choices as everyone else to save a little money or get seemingly free stuff, privileged people use credit cards, shop online, view pornography, play fantasy-football, send email, and buy the latest gadgets like iPhones with as much, if not more vigor, than the rest of us. So many of our consumer and information seeking habits are now mediated by technologies that expose information about us that it’s nearly impossible for anyone to completely dodge the giant maw of data harvesting. However, I think this is only a temporary condition, at least for the well-off.

With market societies being what they are, and with privacy’s value increasingly debated and recognized, it’s likely that in short order we’re going to see a burgeoning market in privacy products and a myriad of technology choices for those  who can afford them and are sophisticated enough to use them. Depending on your views about why surveillance is becoming so prevalent and truly invasive, one thing is clear: Those with power, either financially or politically, are advancing, and benefiting from, the erosion of our cherished privacy rights. History shows that those closest to power are in the best position to avoid losing what they cherish.

Some attribution credit is due to Cory Doctorow, who mentioned some of the underlying facts alluded to in this post.